Описание
Pug allows JavaScript code execution if an application accepts untrusted input
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-36361
- https://github.com/pugjs/pug/pull/3428
- https://github.com/pugjs/pug/pull/3438
- https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb
- https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
- https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328
- https://github.com/pugjs/pug/releases/tag/pug%403.0.3
- https://pugjs.org/api/reference.html
- https://www.npmjs.com/package/pug-code-gen
Пакеты
pug-code-gen
<= 3.0.2
3.0.3
pug
<= 3.0.2
3.0.3
Связанные уязвимости
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
Уязвимость функций compileClient, compileFileClient и compileClientWithDependenciesTracked шаблонизатора для создания HTML-разметки Pug (ранее Jade), позволяющая нарушителю выполнить произвольный код